Closed
Bug 785358
Opened 12 years ago
Closed 12 years ago
Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7623
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [jsbugmon:verify-branch=mozilla-esr17,ignore][adv-main18+][adv-esr17+])
Attachments
(1 file)
|
1.45 KB,
patch
|
dvander
:
review+
lsblakk
:
approval-mozilla-esr17+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision ad7963c93bd8 (options -m -a -n):
try {
a = []
function f(o) {
o[5] = {}
}
with(a) f()
} catch(exc1) {}
evaluate("f({});");
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 103051:bf07c6253287
user: Brian Hackett
date: Wed Aug 22 12:28:34 2012 -0600
summary: Allow purging analysis-temporary while retaining jitcode, bug 778724. r=luke
|
Assignee | |
Updated•12 years ago
|
Group: core-security
|
|
Assignee | |
Comment 3•12 years ago
|
||
Bug 778724 is innocent here, the different recompilation pattern it introduces exposed the bug. This is a regression from bug 731398; this bug allows initializers in run-once scripts to produce objects with singleton type, which TI will not try to guess at the result until the initializer actually runs. But JM will still treat these opcodes as definitely producing objects, a refinement of the type information which it shouldn't be doing.
Assignee: general → bhackett1024
Attachment #655357 -
Flags: review?(dvander)
|
||
Updated•12 years ago
|
Attachment #655357 -
Flags: review?(dvander) → review+
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox15:
--- → wontfix
status-firefox16:
--- → affected
status-firefox17:
--- → affected
status-firefox18:
--- → affected
|
||
Updated•12 years ago
|
Keywords: sec-critical
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 5•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1b0b56afa33a).
|
||
Comment 6•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
|
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 7•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Comment 8•12 years ago
|
||
Confirmed assert on 2012-8-24, nightly jsshell
I can confirm fixed (or unable to reproduce) on jsshell for beta/Aurora/nightly, 2012-11-20. However, above comments say it was only fixed for 18.
Is this correct? What would we expect to see here?
|
|
||
Comment 9•12 years ago
|
||
Assuming affected for 17 - decoder, do you mind rechecking if 17 is still affected?
(wontfix'ing for 16 since 17 is out of the door)
status-firefox19:
--- → fixed
status-firefox20:
--- → fixed
status-firefox-esr17:
--- → affected
Flags: needinfo?(choller)
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:verify-branch=mozilla-release]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:verify-branch=mozilla-release] → [jsbugmon:verify-branch=mozilla-release,ignore]
|
|
Reporter | |
Comment 10•12 years ago
|
||
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-release (reproduced on revision 53fc01ba93c2).
Flags: needinfo?(choller)
|
|
||
Updated•12 years ago
|
tracking-firefox-esr17:
--- → ?
|
|
Reporter | |
Comment 11•12 years ago
|
||
Also trying to confirm for ESR17 branch.
Whiteboard: [jsbugmon:verify-branch=mozilla-release,ignore] → [jsbugmon:verify-branch=mozilla-esr17]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:verify-branch=mozilla-esr17] → [jsbugmon:verify-branch=mozilla-esr17,ignore]
|
|
Reporter | |
Comment 12•12 years ago
|
||
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-esr17 (reproduced on revision 30b9dd4e9966).
|
||
Comment 13•12 years ago
|
||
Tracking for ESR 17 that will ship with Firefox 18 - can someone please nominate for esr17 approval (assuming this patch lands cleanly there) or prepare an esr17 patch?
|
|
Assignee | |
Comment 14•12 years ago
|
||
Comment on attachment 655357 [details] [diff] [review]
patch
[Approval Request Comment]
Fix Landed on Version: 18
Risk to taking this patch (and alternatives if risky): None
Attachment #655357 -
Flags: approval-mozilla-esr17?
|
|
||
Updated•12 years ago
|
Attachment #655357 -
Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
|
|
||
Updated•12 years ago
|
Keywords: checkin-needed
|
||
Comment 15•12 years ago
|
||
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:verify-branch=mozilla-esr17,ignore] → [jsbugmon:verify-branch=mozilla-esr17,ignore][adv-main18+][adv-esr17+]
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•